Windows 8 - Looks really awsome

Instead of making security features easily disabled why not simply make a security feature that doesn't have to be disabled?

You don't have to disable something like ASLR or DEP outside of the rarest occasion.

Why? Because they work on basic principals that work and they don't bother anyone.

 

Why not make both? A multilayer strategy is better and Microsoft has almost unlimited resources available.

For example, "secure boot" is a feature that less than 5% of the users will want to disable , and it helps.

Give them the feedback I talked about on the last post, Hungry, I'm not willing to contact them before IE10 Beta starts.

 

Sure, make both. I've said that since the beginning.

Just don't make the useless one first.

 

rofl, the ones that are more useful are also harder to make and can have consequences on all the landscape of Microsoft providers, ranging from app developers to hardware developers. They take more time and are made by different teams.

Remember: no need to delay what is ready.

 

Yes, best to split resources so you can have the marketable very often useless mitigation system out.

 

And what proves that Microsoft is doing this?

As far as I know, there are different teams working on different security features. Never saw a single recent (since the inception of SDL/TCB as Microsoft strategy for new OSes - which started with WinVista) claim about "group dismantlement" against MS and it could easily be made anonymously by some insider.

 

Of course there are different teams. But wasting one teams time on a project that's quick and easy to implement is silly.

Anyway they've had 2 years since Vista. In my opinion that's plenty of time to implement a real security feature. Instead they stick with what they've already got but add defender and smartscreen.

 

What time is being wasted? The project works for what it is intended, lol. Once implemented, the thing is almost automatic, requiring only malware analysts:

Why make absolute claims about MS behavior based on limited info? Better to say that "what was showed until now, didn't impress me". BTW, Secured boot is a feature that fills your criteria for "really useful". And also this:

 

It is very much the definition of not automatic. Anything requiring a user is not automatic.

I meant specifically SS. I like secure boot. I'm always for further ASLR support, though increasing randomness on a 64bit system is a bit of a "future proofing" thing rather than out of necessity.

I'm not knocking Win8. I'm knocking SS.

I'm fine with SS existing but IMO it's a waste of dev time and it'll end up doing very little for the users.

 

From a Microsoft perspective, I think SS code doesn't seem to require much maintenance. That was what I intended to say by "almost automatic". The SS structure needs many malware analysts (just like MSE) and telemetry from other sources. As this people isn't the same people that code things like ASLR, I don't see what "essential resources" are being split.

And why would SS code requires so much maintenance? The mechanism simply checks links against some blacklist/heuristics/reputation cloud and offers the users an option to deny the download (and with Win8 it will be able to check files and deny file execution with pretty much the same "cloud" it uses with downloads).

SS doesn't clean anything, nor it removes anything: it doesn't duplicate MSE. It's just one more layer, useful for the scenarios it was designed for (according, again, to several statistics and studies).

 

By the way, what would you think about being able to colorize your folders? Now, this is something that would be quite useful, when you got way too many sub-folders. If there's one or a few we use often, we could colorize them with different colors.

We can, of course, use third-party apps, but a native functionality would also be great.

Why doesn't Microsoft think of something like that? Oh.. ribbon is this, ribbon is that... Yes, it's kinda nice... But, this stuff is also great...

 

I remember I used to do this back on my mac when I was a little kid lol it was awesome.

You could probably import an icon pack or something idk

From a Microsoft perspective, I think SS code doesn't seem to require much maintenance. That was what I intended to say by "almost automatic". The SS structure needs many malware analysts (just like MSE) and telemetry from other sources. As this people isn't the same people that code things like ASLR, I don't see what "essential resources" are being split.
There's more to security than ASLR. I'm sure these people know plenty to improve ASLR anyways, though that's likely more algorithmic and math heavy as opposed to policy and concepts.

Anyway, I can think of better uses for their time. I'm fine with MS wasting devs on useless projects, I plan to make a profit from it ASAP.

Who do you think maintains those blacklists and whitelists? Or making sure the heuristics are relevant? Or simply patching code?

What scenario is it designed for? Novice users who miraculously care about popups? I've never seen a single user fitting that description and Microsofts own data has shown time and time again that users cause their own infections.

How can you look at those statistics (25% disable UAC, 96% cause their own infections) and think that more user-based security is the right idea?

I like blacklisting (to an extent) and I am... ok with whitelisting (to an extent) but guessing and leaving the decision up to the user? Nope, not ok with that.

 

Mainly because it's always the haters that scream the loudest and if/when useful people like you suggest something it's drowned out by the complaints. "Oh no, Microsoft want to kill Linux".

 

Bold in Quote by HKEY1952

Create your Own to work with Windows Right Click/Properties

Right Click Folder/Properties/Customize/Folder icons/Change Icon.../Browse.../Windows/System32/_Icons/

Here is how, with step by step instructions, yielding real professional results.
No software needed and is Resident in the Operating System

Changing a Folder's Icon + Making Your Own Icons:
http://www.pcdon.com/DonEdrington-MakeYourOwnFileFolderIcons.html


HKEY1952

 

http://www.microsoft.com/security/resources/providers.aspx

S21sec . RSA Security . Netcraft . MarkMonitor . Internet Identity . Cyveillance . BrandProtect . Sender Score Certified

There is no known "resource split", dude. They have sufficient programmers and money to hire new people whenever there is a need (and they continue doing so). The projects aren't suffering, or you would know from insiders mouths as in the past. Things are being managed correctly.

lol, and the infection rates would be higher without any warnings . The users that ignore them are the ones that mostly get infected - that's all the data about "96% of the infections being users fault" is showing.

Did you care to read data showing how infection rates have dropped on Windows 7 compared to the previous versions of Windows - while the number of malwares only increased with no decrease of infection vectors?

Much of this can be safely attributed to things like SmartScreen and Windows Defender, with their special relevant warnings, while UAC and other warnings that "happen all the time" are really ignored by most users.

Are you talking again about the reputation part of the SS scan? It's a guess and it really helps some users with the information it provides. It you find it annoying, you should be able to easily disable it.

 

Folder icon anyone?

 

There's a lot more than just UAC in Windows 7. Like ASLR and multiple other mitigation techniques.

As for splitting up dev work they're still wasting time on a project. Yeah, maybe those devs are only useful for smartscreen and couldn't have been reallocated or couldn't have simply made a useful feature.

I think if you have to call a security feature "Better than nothing" it really speaks quite a lot about it.

And the fact that Win7 has only recently started to pass WinXP in terms of popularity and many businesses are on XP.

Also the fact that 64bit is significantly more secure and the vast majority of XP users are on 32bit.

Remains to be seen about SS. Defender, sure. That's an entirely different model.

 

None of them (ASLR, 64-bit mitigation, etc etc) stop keyloggers or adwares, lol. Not even UAC, as they can be made without admin rights.

These are the malware kinds that are increasing their variations very much and are being blocked by SmartScreen and Windows Defender on Win 7 helping its user base get less infection rates than older Windows user bases.

Remains to be seem? LOL? Are you kidding me?



Source: http://blogs.msdn.com/b/ie/archive/2011/05/17/smartscreen-174-application-reputation-in-ie9.aspx

 

Right... because, that's precisely what 99% of Windows users want to do...



Sorry, there's a great third-party application I use, that does what I want, and all I got to do is to right-click a folder, click the program's name and choose the color. Pronto.

I could easily create my own folders, with a different colors and images and all that. But, why would I want to waste my time, when such a great functionality could be already native in the system? To me, it makes all sense that it should be part of the O.S. It's useful. It's an easy way for users to quickly spot a folder in a bunch of sub-directories. Isn't it?

 

I know about that. As I answered to the other user, I can make as many folders as I want. But, I won't waste my time on it, when it could already be provided by system, by right-clicking a folder, and choosing colors from there.

Also, creating* new folders, with different colors, isn't something 99% of Windows users would want to be manually doing.

* As in, first designing the folders or applying different colors using an image editor to a main folder, and save different ones for each color. Why not an automatic way?

 

I understand. That would be nice. Never understood why the folders have to be yellow by default and so hard to change -- in real world they come in all colors "by default".

If I ever sign in for Windows 8 Beta, I will give them this suggestion as well.

 

I agree that those mitigations won't stop low-rights socially engineered malware ie: the equivelant of a text file opening up and saying "enter your credit card info" and for that you need a whole other set of mitigations.

Blacklisting is great for this. Whitelisting is decent. Reputation is lame. When you add reputation to blacklisting and whitelisting you make everything worse.

Whether it's effective in Windows 8 absolutely remains to be seen. We have no idea if what works for a browser will work for an entire OS. In IE9 (according to MS) it's done well. I'd rather see studies done by some third parties and I'd like to know how they're doing their tests.



As a blacklist it's nice. As a whitelist it's fine. Reputation is going to cause lots of popups and they'll make users turn it off or lose trust in its opinions.

 

That's not what their studies and statistics are saying. Quite the contrary: people are paying attention to it.

ROFL, why would they fake such statistics? The service is FREE! For marketing purposes? MARKETING purposes for a FREE service that is going to work for every browser (with the verification being done after the file is downloaded starting with Win8 )?

They have much more to lose by faking these statistics while winning nothing. They would lose trust from their security providers, to begin with.

No matter how you try to deny the facts, SmartScreen simply rocks.

Read how the damm thing works!
http://blogs.msdn.com/b/ie/archive/...plication-reputation-building-reputation.aspx

Plus it is another pressure for devs to make use of best practices (Digitally sign your programs with an Authenticode signature. / Ensure downloads are not detected as malware. / Apply for a Windows Logo.)

 

I'm sure they are.

lol... there is no part of this that is free. That's like asking "omg why do they market Bing?" because brand name value has legitimate value.

I've read how it works.

 

~ignoring that you're probably being ironic~

Finally you admitted the facts. Funny that I needed to make so many posts to help you see what is plain clear.

Let me remake my sentence: Why would they fake SmartScreen's statistics and risk losing trust from their security providers, to begin with, for something that is free, will work for every browser at some point, and show no ads whatsoever?

Brand value? Sure, but the brand value only rises up when what they make really work as intended. The value won't rise up with fake statistics that almost only power users pay attention anyways.

And how can you position yourself against facts? You are in the 5% minority of IE9 users that ignores reputation warnings. For everyone else, it works as expected and helps against malicious social engineering.